By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: IncodePublished December 16, 2025

TL;DR: A $37.4 million GSA contract was awarded to support Login.gov’s next-generation remote unsupervised identity proofing, aiming to improve verification accuracy, reduce fraud, and preserve privacy across government services, according to Incode. The signal for practitioners is that digital identity assurance is moving toward higher-friction controls that must still scale.


At a glance

What this is: Incode’s Login.gov work centers on remote unsupervised identity proofing designed to strengthen digital identity verification while reducing fraud and preserving privacy.

Why it matters: It matters because identity verification governance now sits at the boundary of fraud prevention, access control, and citizen trust, which affects IAM, assurance, and lifecycle design across public-sector programmes.

👉 Read Incode’s article on the Login.gov contract and next-generation identity proofing


Context

Digital identity verification is the control layer that decides whether a person should be trusted enough to access a service, complete a transaction, or continue a session. In public-sector environments, that decision has to balance fraud resistance, accessibility, privacy, and operational scale, which makes the governance problem harder than a simple login check.

This article is about that assurance problem in the context of Login.gov and remote unsupervised identity proofing. The identity angle is direct: stronger citizen verification changes how access is granted, how evidence is assessed, and how fraud controls interact with service delivery, while the same governance logic also informs broader IAM and verification programmes.


Key questions

Q: How should organisations set identity proofing standards for high-risk access?

A: Start by defining the assurance level required for each use case, then require evidence that matches the sensitivity of the decision. High-risk enrolment, recovery, and privileged access should rely on multiple trusted sources, not a single document or self-asserted claim. The standard should be consistent across the identity lifecycle.

Q: Why do digital identity verification programmes need fraud controls as well as accuracy metrics?

A: A system can be accurate in normal conditions and still be weak against synthetic identities, deepfakes, or replay attacks. Fraud controls matter because adversaries target the proofing workflow itself, not just the login. Teams should measure adversarial resistance, exception rates, and recovery abuse, not only pass rates.

Q: What breaks when identity evidence is retained too broadly?

A: Broad retention expands the attack surface and increases privacy risk, especially when biometric or documentary evidence is stored beyond the period needed for verification or audit. It also creates reuse risk, because the same evidence may be exposed across systems or vendors. Teams should minimise retention and separate proofing evidence from general access records.

Q: Who is accountable when identity proofing fails and a false account is created?

A: Accountability usually spans the service owner, the identity governance team, and any third-party proofing provider involved in evidence handling. The practical question is whether the organisation defined assurance thresholds, escalation paths, and audit evidence before rollout. Governance should assign ownership for both verification quality and downstream account recovery.


Technical breakdown

Remote unsupervised identity proofing: how assurance is built without an in-person check

Remote unsupervised proofing relies on a combination of document verification, biometric comparison, liveness detection, and risk scoring to establish that the claimant is real and present. The core challenge is not just accuracy, but resilience against spoofing, deepfakes, synthetic identities, and replay attacks. Because the user is not physically supervised, the workflow must compensate with layered checks, telemetry, and exception handling that preserve usability without reducing assurance below acceptable levels.

Practical implication: teams should treat remote proofing as a multi-control workflow and test where the highest-risk false accepts and false rejects appear.

Privacy-preserving identity verification and the data minimisation problem

Privacy-first verification tries to confirm identity without exposing more personal data than necessary. That usually means limiting retention, constraining data reuse, and separating verification evidence from downstream authorisation records. In identity programmes, this matters because proofing systems can become high-value repositories of sensitive biometrics and documents. If privacy controls are weak, the verification layer itself becomes a data-risk surface rather than just an access-control function.

Practical implication: identity teams should map what is collected, what is retained, and which evidence is actually needed for audit or appeal.

Fraud prevention in digital identity: why identity assurance is now a security control

Fraud prevention and identity assurance are converging because attackers increasingly target onboarding, account recovery, and proofing flows rather than passwords alone. Modern fraud schemes exploit weaknesses in evidence quality, synthetic identities, and trust reuse across services. That makes identity proofing part of the security architecture, not merely a compliance or customer-experience layer. Public-sector platforms need to design for both authentic users and adversarial claimants.

Practical implication: organisations should align proofing policy with fraud telemetry, escalation paths, and account recovery controls.


Threat narrative

Attacker objective: The attacker’s objective is to obtain trusted digital access under a false identity and use that access to commit fraud or abuse government services.

  1. Entry occurs through weak or manipulated identity evidence in a remote proofing flow, such as synthetic identity data or spoofed biometric inputs.
  2. Escalation follows when the claimant passes verification controls that are not tuned to detect high-confidence fraud patterns.
  3. Impact is unauthorised access to a trusted government account or service, with downstream fraud, data exposure, or account takeover.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Digital identity verification is now a fraud-control discipline, not just an onboarding step. Public-sector proofing programmes are being asked to prove both who the user is and whether the evidence presented is trustworthy under attack. That shifts the governance burden onto assurance design, exception handling, and post-verification account controls. Practitioners should treat proofing policy as part of security architecture, not a standalone business process.

Privacy-first identity design is becoming a control requirement, not a branding choice. Once biometric and documentary evidence enters the verification pipeline, minimisation, retention, and segregation of data become governance issues in their own right. The article points to a model where privacy and security have to be designed together, especially when sensitive identity evidence is reused or retained beyond the original verification event. Practitioners should reduce data exposure at the verification layer itself.

Identity assurance gaps increasingly overlap with IAM lifecycle weaknesses. A successful proofing event only matters if downstream account recovery, reauthentication, and privilege assignment are equally controlled. This is where digital identity verification intersects with IAM: weak lifecycle governance can undermine even strong initial proofing. Practitioners should connect identity proofing assurance to account lifecycle, not treat it as an isolated checkpoint.

Trust at scale requires measurable resistance to adversarial identity behaviour. The article’s core lesson is that high-volume identity verification cannot rely on static confidence alone. Systems need continuous tuning for synthetic identities, deepfake patterns, and anomalous recovery behaviour, or they will drift toward convenience over assurance. Practitioners should measure proofing performance against adversarial conditions, not only operational throughput.

From our research:

What this signals

Identity proofing is drifting closer to a policy decision engine than a single verification check. As fraud patterns evolve, programmes need to connect evidence quality, device signals, and recovery workflows into one governance view. For teams building on identity assurance, the operational question is whether a false accept can be contained before it becomes an access grant.

Verification trust gaps will increasingly show up as lifecycle failures. If the organisation cannot link a proofing event to account recovery, reauthentication, and access revocation, the assurance layer becomes fragile. Practitioners should look at proofing as part of end-to-end identity lifecycle management rather than a one-time onboarding control.

From our research, 92% of organisations expose NHIs to third parties, which is a reminder that trust boundaries rarely stop at the first verification step. That matters here because identity assurance is only durable when the surrounding access and evidence flows are governed with the same discipline as the initial proofing decision. Teams should align verification policy with the Ultimate Guide to NHIs and with NIST Cybersecurity Framework 2.0.


For practitioners

  • Define assurance tiers for remote proofing Separate low-risk access paths from high-risk transactions so that stronger identity proofing is only required where fraud impact justifies it.
  • Minimise identity evidence retention Store only the evidence required for audit, dispute resolution, and regulatory obligations, and shorten retention windows for biometric and document artifacts.
  • Link proofing outcomes to IAM lifecycle controls Make sure account recovery, step-up verification, and privileged access assignment all depend on the same verified identity state.
  • Test proofing against synthetic and deepfake scenarios Run adversarial testing against document, biometric, and liveness controls so that false accepts are measured under realistic fraud conditions.
  • Review third-party identity evidence handling If external providers process biometric or documentary data, confirm contractual limits on storage, reuse, and escalation before production rollout.

Key takeaways

  • Remote identity proofing is becoming a core fraud-control layer, not a back-office verification task.
  • Privacy, assurance, and lifecycle governance now have to be designed together or the verification layer becomes a risk surface.
  • Practitioners should measure adversarial resistance, retention discipline, and downstream IAM linkage, not just pass rates.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63ARemote proofing and identity proofing map directly to NIST digital identity guidance.
NIST CSF 2.0PR.AC-1Identity verification governs how access is granted to services and systems.
NIST SP 800-53 Rev 5IA-2Identity proofing supports authentication and identity lifecycle control.
GDPRArt.5Biometric and documentary identity data raise data minimisation and purpose limitation issues.

Align remote proofing with IA-2 and ensure identity assertions are validated before account creation.


Key terms

  • Remote Unsupervised Identity Proofing: Remote unsupervised identity proofing is the process of verifying a person’s identity without an in-person agent present. It combines document checks, biometric matching, liveness detection, and risk analysis to establish trust in a digital workflow while resisting spoofing and synthetic identity attacks.
  • Identity Assurance: The confidence an organisation has that a person or system is truly who it claims to be before access or action is granted. In modern IAM, assurance depends on evidence quality, channel trust, and the strength of verification around high-risk decisions.
  • Privacy-First Verification: Privacy-first verification means confirming identity while limiting the amount of personal data collected, retained, and reused. The objective is to reduce exposure of sensitive evidence such as biometrics and documents without weakening the organisation’s ability to prove compliance, investigate disputes, or stop fraud.
  • Fraud Telemetry: Fraud telemetry is the collection of signals that indicate suspicious or adversarial behaviour during onboarding, login, or account recovery. It includes device, behavioural, document, and biometric indicators that help teams detect attack patterns before they become successful identity abuse.

What's in the full analysis

Incode's full article covers the operational detail this post intentionally leaves for the source:

  • Implementation context for Login.gov’s next-generation identity proofing programme and the government service scope it supports.
  • The specific privacy-first architecture considerations behind remote unsupervised verification and how they map to federal use cases.
  • How the contract relates to identity verification, fraud prevention, and large-scale public-sector rollout decisions.
  • The vendor’s own positioning on biometric accuracy, fairness, and service usability in government environments.

👉 Incode’s full article covers the contract context, public-sector use case, and the company’s stated identity verification approach.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It gives practitioners a structured way to connect identity controls to the broader security programme.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org